Spreadsheet Risks in Banks

No other industry perhaps handles such large volumes of critical financial data more than the banking industry. For decades now, spreadsheets have become permanent fixtures in the front-line reporting tool sets of banks, providing organised information when and where needed.

But as banks enter into a period of heightened credit risks, elevated levels of fraud, and greater regulatory scrutiny, many are wondering if continued reliance on spreadsheets is a wise decision for banks today.

The downfall of Lehman Brothers which eventually led to its filing for Chapter 11 bankruptcy protection on September 15, 2008, served as a wake up call for many institutions across the globe to make a serious examination of their own risk management practices. But would these reforms include evaluating the security of user developed applications (UDAs), the most common of which are spreadsheets, and putting specific guidelines as to when they can – or cannot be – used?

Banks and Spreadsheet Use

Banks have been known to utilise spreadsheets systems for many critical functions because most personnel are well-acquainted with them, and the freedom of being able to develop customised reports without needing to consult with the IT department offers flexibility and convenience. In fact, more than having a way to do financial budgeting and analysing customer profitability, even loan officers and trade managers have become reliant on spreadsheets for risk management reporting and for making underwriting decisions.

But there are more than a few drawbacks to using spreadsheets for these tasks, and the sooner bank executives realise these, the sooner they can adopt better solutions.

General Limitations

Spreadsheets are far from being data base systems and yet more often than not, they are expected to act as such, with figures constantly added and formulas edited to produce the presumably right set of reports.

In addition, data integrity is always a cause for concern as most values in spreadsheets are entered as manual inputs. Even the mere misplacement of a comma or a negative sign, or an inadvertent ?edit? to a formula can also be a source of significant changes in the outcome.

Confidentiality risk is also another drawback of the use of spreadsheets in banks as these tools do not have adequate?access controls to limit access to only authorised individuals. Pertinent financial information that fall into the wrong hands can lead to a whole new set of problems including the possibility of fraud.

Risks in Trading

For trading transactions, spreadsheets can prove to be of immense use – but only for small market volumes. As trade volumes increase and the types vary, spreadsheets are no longer a viable solution and may likely become more of a hindrance, with calculations taking longer in the face of bigger transaction amounts and growing transaction data.

And in trading, there is always the need for rigorous computational functions. Computing for the Value at Risk (VaR) for large portfolios for instance, is simply way beyond the capabilities of spreadsheets. Banks that persist in using them are increasing the risk of loss on those portfolios. Or, they can be opening up?opportunities for fraud?as Allied Irish Bank (in the case of John Rusnak – $690 million) learned the hard way.

Risks in Underwriting

Bankers who use spreadsheets as their main source of information for underwriting procedures also face certain limitations. Loan transactions require that borrowers? financial data be centralised and easily accessible to risk officers and lending officers involved in making decisions. With spreadsheets, there is no simple and secure way of doing that. Information can be pulled from different sources – individual tax returns, corporate tax documents, partnership documents, audited financial statements – hence there is difficulty in verifying that these reports adhere to underwriting policies.

Spreadsheet control and monitoring

Financial institutions which are having difficulty weaning themselves from the convenience and simplicity that spreadsheets offer are looking for possible control solutions. Essentially, they want to find ways that allow them to continue using these UDAs and yet somehow eliminate the?spreadsheet risks?and limitations involved.

Still, the debate goes back and forth on whether adequate control measures can be implemented on spreadsheets so that that the risks are mitigated. Many services have come forward to herald innovative solutions for better spreadsheet management. But at the end of the day, there really is no guarantee that such solutions would suffice.

More Spreadsheet Blogs


Spreadsheet Risks in Banks


Top 10 Disadvantages of Spreadsheets


Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry


How Internal Auditors can win the War against Spreadsheet Fraud


Spreadsheet Reporting – No Room in your company in an age of Business Intelligence


Still looking for a Way to Consolidate Excel Spreadsheets?


Disadvantages of Spreadsheets


Spreadsheet woes – ill equipped for an Agile Business Environment


Spreadsheet Fraud


Spreadsheet Woes – Limited features for easy adoption of a control framework


Spreadsheet woes – Burden in SOX Compliance and other Regulations


Spreadsheet Risk Issues


Server Application Solutions – Don’t let Spreadsheets hold your Business back


Why Spreadsheets can send the pillars of Solvency II crashing down

?

Advert-Book-UK

amazon.co.uk

?

Advert-Book-USA

amazon.com

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

Introduction to Matrix Management

A leader is responsible to empower his people and get the best out of them. Yet an organisational structure can either help or hamper performance. Worst, it can make or break success.

Looking at the fast-changing world of the global economy, whatsoever slows up and obstructs decision-making is a challenge. Hierarchical management is rather unattractive and functional silos are unlikable. Instead, employees desire to create teams equipped with flexibility, cooperation and coordination.

Recognising that companies have both vertical and horizontal chains of command, the matrix model is created. The concept of this principle lies in the ability to manage the collaboration of people across various functions and achieve strategic objectives through key projects.

Consider this scenario:

Ian is a sales executive of a company. His role is to sell a new product under the supervision of a product manager. The manager is expert about the product and she is accountable to coordinate the people across the organisation, making sure the product is achieved.

Moreover, Ian also reports to the sales manager who oversees his overall performance, monitors his pay and benefits and guides his personal development.

Complicated it may seem but this set-up is common to companies that seek to maximise the effect of expert product managers, without compromising the function of the staffing overhead in control of the organisation. This is a successful approach to management known as Matrix Management.

Matrix Management Defined

Matrix management is a type of organisational management wherein employees of similar skills are shared for work assignments. Simply stated, it is a structure in which the workforce reports to multiple managers of different roles.

For example, a team of engineers work under the supervision of their department head, which is the engineering manager. However, the same people from the engineering department may be assigned to other projects where they report to the project manager. Thus, while working on a designated project, each engineer has to work under various managers to accomplish the job.

Historical Background

Although some critics say that matrix management was first adopted in the Second World War, its origins can be traced more reliably to the US space programme of the 1960’s when President Kennedy has drawn his vision of putting a man on the moon. In order to accomplish the objective, NASA revolutionised its approach on the project leading to the consequent birth of ?matrix organisation?. This strategic method facilitated the energy, creativity and decision-making to triumph the grand vision.

In the 1970’s, matrix organisation received huge attention as the only new form of organisation in the twentieth century. In fact it was applied by Digital Equipment, Xerox, and Citibank. Despite its initial success, the enthusiasm of corporations with regards to matrix organisation declined in the 1980’s, largely because it was complex.

Furthermore, the drive for motivating people to work creatively and flexibly has only strengthened. And by the 1990’s, the evolution of matrix management geared towards creation and empowerment of virtual teams that focused on customer service and speedy delivery.

Although all forms of matrix has loopholes and flaws, research says that until today, matrix management is still the leading approach used by companies to achieve organisational goals.

9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

  • simplify those answers;
  • help you pick the right cloud service provider, and
  • even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Could Kanban Be?Best for Knowledge Workers?

Knowledge Workers include academics, accountants, architects, doctors, engineers, lawyers, software engineers, scientists and anybody else whose job it is to think for a living. They are usually independent-minded people who do not appreciate project managers dishing out detailed orders. Kanban project management resolves this by letting them choose the next task themselves.

The word ?Kanban? comes from a Japanese word meaning ?billboard? or ?signboard?. Before going into more detail how this works let’s first examine how Japanese beliefs of collaboration, communication, courage, focus on value, respect for people and a holistic approach to change fit into the picture.

The Four Spokes Leading to the Kanban Hub

  1. Visualise the Workflow ?You cannot improve what you cannot see. The first step involves team members reducing a project to individual stages and posting these on a noticeboard.
  2. Create Batches ? These stages are further reduced to individual tasks or batches that are achievable within a working day or shift. More is achievable when we do not have to pick up where we left off the previous day.
  3. Choose a Leader the Team Respects – Without leadership, a group of people produces chaotic results. To replace this with significant value they need a leader, and especially a leader they can willingly follow.
  4. Learn and Improve Constantly ? Kaizen or continuous improvement underpins the Japanese business model, and respects that achievement is a step along the road, and not fulfilment.

The Kanban Method in Practice

Every Kanban project begins with an existing process the participants accept will benefit from continuous change. These adjustments should be incremental, not radical step-changes to avoid disrupting the stakeholders and the process. The focus is on where the greatest benefits are possible.

Anybody in the team is free to pull any batch from the queue and work on it in the spirit of collaboration and cooperation. That they do so, should not make any waves in a culture of respect for people and a holistic approach to working together. All it needs is the courage to step out of line and dream what is possible.

The Kanban Project Method ? Conclusions and Thoughts

Every engine needs some sort of fuel to make it go. The Kanban project management method needs collaboration, communication, courage, focus on value, respect for people and a holistic approach to work. This runs counter to traditional western hierarchies and probably limits its usefulness in the West.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today